Valimail Enforce - Unusual Rate of Configuration Changes or User Additions
| Id | 3cbb78d9-81ac-42c9-b3cd-7e6baea7d9ff |
| Rulename | Valimail Enforce - Unusual Rate of Configuration Changes or User Additions |
| Description | This query searches for a single user performing more than 3 configuration changes or user additions within a 1-hour window on any domain. An unusual burst of changes may indicate a compromised admin account, unauthorized automation, or insider threat. |
| Severity | Medium |
| Tactics | Impact DefenseEvasion PrivilegeEscalation |
| Techniques | T1562 T1531 T1078 |
| Required data connectors | ValimailEnforce |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_UnusualChangeRate.yaml |
| Version | 1.0.0 |
| Arm template | 3cbb78d9-81ac-42c9-b3cd-7e6baea7d9ff.json |
let threshold = 3;
let timeWindow = 1h;
ValimailEnforceEvents_CL
| where EventCategory in (
"DMARCPolicy",
"SPFConfiguration",
"DKIMConfiguration",
"DomainManagement",
"UserManagement"
)
| summarize
ChangeCount = count(),
HighValueCount = countif(IsHighValueEvent == true),
Domains = make_set(Subject),
DomainCount = dcount(Subject),
Actions = make_set(EventType),
Categories = make_set(EventCategory),
FirstSeen = min(PerformedAt),
LastSeen = max(PerformedAt)
by User, bin(PerformedAt, timeWindow)
| where ChangeCount > threshold
| extend
AccountName = tostring(split(User, "@")[0]),
AccountDomain = tostring(split(User, "@")[1]),
DomainName = tostring(Domains[0]),
ChangesPerMin = round(todouble(ChangeCount) / 60.0, 2)
id: 3cbb78d9-81ac-42c9-b3cd-7e6baea7d9ff
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ValimailEnforce/Analytic Rules/ValimailEnforce_UnusualChangeRate.yaml
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountDomain
entityType: Account
- fieldMappings:
- identifier: DomainName
columnName: DomainName
entityType: DNS
requiredDataConnectors:
- dataTypes:
- ValimailEnforceEvents_CL
connectorId: ValimailEnforce
queryFrequency: 1h
alertDetailsOverride:
alertDisplayNameFormat: Unusual change rate by {{User}}, {{ChangeCount}} changes in 1h across {{DomainCount}} domain(s)
alertDescriptionFormat: |
User '{{User}}' made {{ChangeCount}} configuration changes across {{DomainCount}} domain(s) within one hour.
queryPeriod: 1h
status: Available
incidentConfiguration:
groupingConfiguration:
lookbackDuration: 1d
reopenClosedIncident: false
matchingMethod: Selected
groupByEntities:
- Account
enabled: true
createIncident: true
query: |
let threshold = 3;
let timeWindow = 1h;
ValimailEnforceEvents_CL
| where EventCategory in (
"DMARCPolicy",
"SPFConfiguration",
"DKIMConfiguration",
"DomainManagement",
"UserManagement"
)
| summarize
ChangeCount = count(),
HighValueCount = countif(IsHighValueEvent == true),
Domains = make_set(Subject),
DomainCount = dcount(Subject),
Actions = make_set(EventType),
Categories = make_set(EventCategory),
FirstSeen = min(PerformedAt),
LastSeen = max(PerformedAt)
by User, bin(PerformedAt, timeWindow)
| where ChangeCount > threshold
| extend
AccountName = tostring(split(User, "@")[0]),
AccountDomain = tostring(split(User, "@")[1]),
DomainName = tostring(Domains[0]),
ChangesPerMin = round(todouble(ChangeCount) / 60.0, 2)
name: Valimail Enforce - Unusual Rate of Configuration Changes or User Additions
kind: Scheduled
tactics:
- Impact
- DefenseEvasion
- PrivilegeEscalation
severity: Medium
relevantTechniques:
- T1562
- T1531
- T1078
triggerThreshold: 0
version: 1.0.0
description: |
This query searches for a single user performing more than 3 configuration changes or user
additions within a 1-hour window on any domain. An unusual burst of changes may
indicate a compromised admin account, unauthorized automation, or insider threat.